Problem solveGet help with specific problems with your technologies, process and projects.

Managing Samba-3.0.21: The pdbedit utility, part 2

The pdbedit tool in Samba-3 is the only one that can manage account security and policy settings important to businesses that must comply with the Sarbanes-Oxley Act of 2002. If you're migrating from Windows to Linux, or remotely managing Samba-3, knowing how to prepare and use Samba-3 PDC is a must.

The pdbedit tool in Samba-3 is the only one that can manage account security and policy settings. As I said in part one of this tip, having control of account security and policy settings is important to businesses that must comply with the Sarbanes-Oxley Act of 2002. Now, I'll show you how to put pdbedit to work creating Linux system user and group accounts; assembling Windows group accounts, thus mapping Windows group accounts to Linux group accounts; adding Windows user accounts; and establishing network access policies and controls.

First, let's get on with the establishment of Linux system user and group accounts.

Two group accounts will be created, one for scientists, and one for managers:

root #> groupadd scientists root #> groupadd managers

Two user accounts will be created here: one for Tom Bryant (scientists), and one for Melinda Stone (managers). Both users require a home directory. The following steps will create these accounts:

root #> useradd -m -c "Tom Bryant" -G scientists -g users tbryant

root #> passwd tbryant

New Password: XXXXXXX

Re-enter New Password: XXXXXXX

root #> useradd -m -c "Melinda Stone" -G managers -g users mstone

root #> passwd mstone

New Password: XXXXXXX

Re-enter New Password: XXXXXXX

Both accounts are specifically created to be primary members of the users group, and secondary members of the respective groups to which they also belong.

Creation of Windows group accounts

Linux group accounts must now be mapped to Windows group accounts. The following commands will map the key Windows domain groups to local Linux system accounts:

Addition of Windows user accounts

The following steps create the SambaSAMAccount entries in the passdb backend that was chosen in the last article (tdbsam). The use of the pdbedit tool will demonstrate the account information that can be managed.

In many cases, it is more desirable to create a global network access policy than to be required to set each account separately. The global setting must be in place before user accounts are created, otherwise the old settings will continue to be used. The per-user settings override the global settings.

In the following example, a global policy will be implemented. The policies that can be set include:

min password length

password history

user must logon to change password

maximum password age

minimum password age

lockout duration

reset count minutes

bad lockout attempt

disconnect time

refuse machine password change

In our example, we will implement stringent Sarbanes-Oxley compliance settings.

root #> pdbedit -P "min password length" -C 8

description: Minimal password length (default: 5)

account policy "min password length" value was: 5

account policy "min password length" value is now: 8

The policy was set to eight characters. Security conscious sites may want to set this to 14 characters:

root #> pdbedit -P "password history" -C 5

Length of Password History Entries (default: 0 => off)

account policy "password history" value was: 5

account policy "password history" value is now: 5

In the example above, the last five passwords will be remembered. This means that an old password can be reused only after six unique passwords have already been used. We want a minimum password age of 45 days (3888000 seconds).

Passwords must be changed every 45 days. This means that an old password can be re-used only after 270 days. If the minimum password age is left at the default, a smart user can simply enter six new passwords and then reset the original password in rapid succession, thereby defeating the controls.

The setting above ensures that the user account will be locked out after three failed logon attempts. This is an important means by which password cracking attempts may be thwarted.

Where an LDAP password back end is used, the policy settings must be exported to the LDAP directory. This can be done by executing:

root #> pdbedit -y -i tdbsam -e ldapsam

It must be noted that the full capabilities mentioned in this article were stabilized in the Samba-3.0.21 release. Where Sarbanes-Oxley compliance is required please use the most recently released stable version. At the time of writing this is 3.0.21.

The use of the Samba pdbedit tool has been shown to be a simple matter. Once you have mastered it, you'll be ready to move on to the next phase of mastering Samba management: the practical use of the net command, both for initiation configuration as well as for on-going system maintenance. That's the topic of the next episode in my Managing Samba series.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.